June 2017 - keycloak-user - Jboss List Archives

Is there a form/basic fallback option for Keycloak SAML adaptor for Tomcat?

by ken edward

Hello, Looking at the Keycloak SAML adaptor for Tomcat I see that it seems to say the login authentication parameter from the web.xml are "ignored" (can't say SPNEGO, BASIC). Is there any way to implement FORM based authentication fallback for the Keycloack SAML Adaptor? <login-config> <auth-method>BASIC</auth-method> <realm-name>this is ignored currently</realm-name> </login-config> https://keycloak.gitbooks.io/documentation/securing_apps/topics/saml/java... Can something like this be done: <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> Ken

8 years, 10 months

1
0
0 / 0

Activate only features needed using cluster

by Fabien SINTES

Hello, I need to design a secure infrastructure with many zones (vlan, fw filtering...). Is it possible to separate this roles : - URI for token Delivery, authentification (openid connect, oauth) - internal user database (or is it possible only if external ldap server is used ?) - Admin UI - Admin Rest API This différents servers would be in cluster (sync allowed by filtering between zones). I have understand it is possible to configure "localhost" for this services but is it possible to disable it ? and having all this roles working fine in cluster ? Thank you. Fabien.

8 years, 10 months

1
0
0 / 0

Is there a SAML SP valve for tomcat and ADFS?

by ken edward

Hello, I have an Idp (my ADFS) and I have a tomcat server with a simple j2ee web application. I know I can stand up a key cloak sever, and use an SP adapter for tomcat, BUT is there a way to simply install a tomcat SP valve/libs that would talk to the IdP and bypass having to install the keycloak server ? Kinda like this picketlink implementation: https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink Ken

8 years, 10 months

2
1
0 / 0

Default Realm Roles Not Set When role-ldap-mapper is configured for AD

by Adrian Matei

Hi everyone, When I configure an LDAP Role Mapper for Active Directory the Default Roles of the Realm are not set anymore when a user registers himself or if I create one via the Keycloak Admin Console. Configuration: Mapper type: role-ldap-mapper LDAP Roles DN: subtree in AD Role LDAP Attribute: cn Role Object Classes: group Membership LDAP Attribute: member Membership Attribute Type: DN Membership User LDAP Attribute: uid Mode: LDAP_ONLY User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_Attribute Use Realm Roles Mapping: ON Does anyone have a solution, or should I create a Jira Issue for that? Best regards, Adrian

8 years, 10 months

2
3
0 / 0

spring-sec-adapter - impersonating

by java_os

Would has any pointers on implementing sso where admin could impersonate an existing user. Flow: ng-client(aquires the token - public client) -> rest api (Keycloak bearer client) Read this thread but was left out : http://lists.jboss.org/pipermail/keycloak-user/2015-April/001945.html Appreciate it.

8 years, 10 months

3
3
0 / 0

Log as a group feature

by Fabien SINTES

Hello, I'm looking for an IAM SSO system with the following feature, I'm just Learning about open id connect... : I need to allow a user to "log as a group" and inform the client (remote web site). It seems not possible with keyloak but I would happy to find a solution (other iam allow this feature but I would prefere redhat support). I think I could add an information in the json token witch would mean "I am fabien, I am member of this groups and I want you to identify me as FinancialGroup". With json information like user:fabien, impersonation:FinancialGroup.... The client (remote web site) would read json information and will authenticate the user fabien but using his group to identify the user for different internal actions. Do you think it is Something possible and a good practice ?! In this case, it is also needed to custom login page to permit the user to choose this option "user:... , pwd..., login as...". And the combo box for "login as" should list the user groups available. Is it possible ? Sorry for my English... Thank you very much. Fabien

8 years, 10 months

1
0
0 / 0

Login a Java Fat Client with Windows Kerberos Token agains Keycloak backed by AD?

by Malte Finsterwalder

Hi, I have the following setup: I'm programming a Java Fat Client application. I want to integrate it into SSO with Keycloak. Our Keycloak is connected to our Windows Active Directory (AD). So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and sends that to Keycloak. Keycloak should authorize the token agains the AD and send back an authorization token to the Fat Client, so I can later use this Keycloak token to access other Rest-Services. Fat Client (with Kerberos Token) -> Keycloak -> AD Fat Client (with Keycloak Token) -> REST-Service I can't find anything in the documentation regarding this szenario. Is this possible? And if so, how? Greetings, Malte

8 years, 10 months

2
1
0 / 0

How to change link to verify-email in email template?

by Alex Berg

I have a proxy running which proxies "www.mydomain.com/auth/" to "mykeycloakhost/auth/realms/MyApp/". I think it's less noisy for users of my website. In dev, when I have keycloak send a "verify email" action, the URI in the email is "localhost:8080/auth/realms/MyApp/login-actions/ execute-actions?key=the-key" How do I change this URI in the "verify email" email to be "localhost:8080/auth/login-actions/execute-actions?key=the-key"? I see it's calculated like: UriInfo uriInfo = session.getContext().getUri(); UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(), token.serialize(session, realm, uriInfo)); String link = builder.build(realm.getName()).toString(); - Source: /services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java#L139 <https://github.com/keycloak/keycloak/blob/70d7e07526546cd20d8cbbc6d055759...> I'm not great at understanding Java and OO, so I can't figure how where "session.getContext()" is defined. How are other people solving this? Should I just remove the link variable in the email template and use a hardcoded link?

8 years, 10 months

2
2
0 / 0

Java Admin client with signed JWT

by Denny Israel

Hi, i am using the java admin client to configure my keycloak instance. At the moment i use client secrets to authenticate against keycloak but want to use a signed JWT. I know how to enable the signed JWT Auth in Keycloak and how to pass a JWT via authorization() method to KeycloakBuilder (at least i think it would work ;-)). Is there a convenient way to create such a token? What should such a token contain? The javadoc of KeycloakBuilder gives example usages of username/password and client secret authentication but not of JWT authentications. best regards Denny

8 years, 10 months

1
0
0 / 0

Unable to set proxy on identity brokering (apache http client)

by Boutin Damien

Hello, We are hardly trying to configure our access to our IDP, using a proxy. After quick look in the source code, it looks that some changes have been done in the SimpleHttp class, used to access token endpoint of the idp, to use the Apache Http Client. (jira https://issues.jboss.org/browse/KEYCLOAK-2486) Looking in the "org.keycloak.connections.httpclient.HttpClientBuilder" class, I don't see any configuration in RequestConfig that could allow to use system properties, or explicit proxy configuration. Could you tell me if I'm looking at the wrong place or if I missed something ? Thanks in advance.

8 years, 10 months

1
0
0 / 0

Keycloak / FreeIPA: "Sync registration"

by Antoine Carton

Hello, Is there any news regarding user creation support from Keycloak to FreeIPA LDAP (i.e. "Sync registration" feature in Keycloak) ? Last thread seems to be http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html Thanks!

8 years, 10 months

2
2
0 / 0

UTF8 encoding prior v2.5

by Marc Tempelmeier

Hi, we updated our Keycloak 2.4 to 3.1, there was a bug in 2.4: https://issues.jboss.org/browse/KEYCLOAK-3439 Our database is still latin 1 though after the update, does anyone know what we should change that the data gets correctly into mysql? Best regards Marc

8 years, 10 months

2
3
0 / 0

Authorization settings can't be exported more than once on 3.1.0.Final

by Stephane Granger

I am running into a weird issue. After creating a client which uses the Authorization settings, the settings can only be exported 1 time. Rebooting the key cloak server doesn't clear the problem. Steps to reproduce. Create TEST realm Create TEST client, make sure the Authorization Enabled slider is set to ON, click save. Create the following Roles for the client role1 role2 role3 Go on the Authorization tab create 3 policies: policy1, policy2, policy3 with corresponding required role1...3 from the TEST client create Authorization Scopes: scope1, scope2, scope3 create Resources: resource1 with scope2, resource2/scope2 and resource3/scope3 finally, create the permissions resource based: permission1/resource1/policy1 resource based: permission2/resource2/policy2 scope based: permission3/scope3/policy3 On the Authorization tab of the TEST client, click on the Export button. This will work. Navigate back to a different realm, and back again to the Authorization tab of the TEST client, try exporting again, this time it will fail. Restarting the Keycloak server does not clear the problem. Here are the logs: 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37) UT005023: Exception handling request to /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-ac4a-1c6afb22f7a5/authz/resource-server/settings: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: Error while exporting policy [policy1]. at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: Error while exporting policy [policy1]. at org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(ExportUtils.java:386) at org.keycloak.exportimport.util.ExportUtils.lambda$exportAuthorizationSettings$3(ExportUtils.java:313) at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) at org.keycloak.exportimport.util.ExportUtils.exportAuthorizationSettings(ExportUtils.java:313) at org.keycloak.authorization.admin.ResourceServerService.exportSettings(ResourceServerService.java:133) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more Caused by: java.lang.NullPointerException at org.keycloak.exportimport.util.ExportUtils.lambda$createPolicyRepresentation$7(ExportUtils.java:351) at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) at org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(ExportUtils.java:353) ... 68 more

8 years, 10 months

2
3
0 / 0

NoRouteToHostException - Using external Infinispan with Keycloak on OpenShift platform

by Vikrant Singh

Hi, I am running Keycloak(3.1.0.Final) on Openshift platform. I am using external infinispan(9.0.1-Final) for sessions, work and offlineSessions cache to achieve multi datacenter failover. Below is configuration for infinispan remote-store in Keycloak > <local-cache name="sessions"> > <remote-store passivation="false" fetch-state="false" purge="false" > preload="false" shared="true" cache="sessions" > remote-servers="remote-cache"> > <property name="rawValues">true</property> > <property > name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property> > </remote-store> > </local-cache> <outbound-socket-binding name="remote-cache"> > <remote-destination host="${env.INFINISPAN_HOST}" > port="${env.INFINISPAN_PORT:11222}"/> > </outbound-socket-binding> External Infinispan cluster is front ended by a load-balancer(kubernetes service) which provides a static hostname for infinispan and this hostname is configured in keycloak for keycloak to infinispan communication. The setup work fine but if all instances(pods) in external infinispan goes down and we bring up the cluster again, keycloak is not able to get to new infinispan instance and it keeps trying on old ip address with below error. The issue seems to be keycloak trying to use ip address instead of load balancer hostname provided in configuration. As we are running on openshift, infinispan instances will get new ip address each time it is restarted. ERROR [org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation] (persistence-thread--p8-t108) ISPN004007: Exception encountered. Retry 10 out of 10: org.infinispan.client.hotrod.exceptions.TransportException:: Could not fetch transport at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory.borrowTransportFromPool(TcpTransportFactory.java:405) at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory.getTransport(TcpTransportFactory.java:244) at org.infinispan.client.hotrod.impl.operations.BulkGetKeysOperation.getTransport(BulkGetKeysOperation.java:29) at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:53) at org.infinispan.client.hotrod.impl.RemoteCacheImpl.keySet(RemoteCacheImpl.java:670) at org.infinispan.persistence.remote.RemoteStore.process(RemoteStore.java:135) at org.infinispan.persistence.manager.PersistenceManagerImpl.processOnAllStores(PersistenceManagerImpl.java:447) at org.infinispan.persistence.manager.PersistenceManagerImpl.processOnAllStores(PersistenceManagerImpl.java:432) at org.infinispan.persistence.util.PersistenceManagerCloseableSupplier.lambda$get$261(PersistenceManagerCloseableSupplier.java:115) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.infinispan.client.hotrod.exceptions.TransportException:: Could not connect to server: /10.0.34.100:11222 at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.<init>(TcpTransport.java:78) at org.infinispan.client.hotrod.impl.transport.tcp.TransportObjectFactory.makeObject(TransportObjectFactory.java:37) at org.infinispan.client.hotrod.impl.transport.tcp.TransportObjectFactory.makeObject(TransportObjectFactory.java:16) at org.apache.commons.pool.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:1220) at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory.borrowTransportFromPool(TcpTransportFactory.java:400) ... 11 more Caused by: java.net.NoRouteToHostException: No route to host at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) at sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source) at sun.nio.ch.SocketAdaptor.connect(Unknown Source) at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.<init>(TcpTransport.java:68) ... 15 more Is there anyway we can force keycloak to use hostname instead of resolving to ip address? Thanks, Vikrant

8 years, 10 months

1
0
0 / 0

Access client session in Freemarker template

by John Kalantzis

Hello, Is there a way to access the client session in the FreeMarker login template? I'm looking for a way to display redirect_uri and possibly an extra parameter in the page (which are stored in the client session, if I'm not mistaken) but I don't see them anywhere in the available beans. Thanks!

8 years, 10 months

1
0
0 / 0

Browser tries to store the username "This is not a login form" after updating a temporary password

by Gregoire Jeanmart

Hello, One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly. Is there a way to fix this issue ? Information: - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL - Browser: Google Chrome and Mozilla Firefox - Similar issue: https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-is-... Thanks in advance. Gregoire Jeanmart

8 years, 10 months

6
9
0 / 0

Not before policy in accesstoken uses dash-separator (in json), why?

by Jakob Thun

Hello Keycloak gurus, Quick simple question out of curiosity. Since all other AccessToken fields use a underscore_separator, why is the not-before-policy with dashes. See: https://github.com/keycloak/keycloak/blob/3.1.x/core/src/main/java/org/ke... Anyone have a clue? Regards Jakob

8 years, 10 months

2
2
0 / 0

Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT

by Matthew Woolnough

Trying to compile Keycloak and running into numerous issues. Skipping tests like so currently as too many issues mvn -Dmaven.test.skip=true install -e How can I resolve this & whats the recommended environment for compiling? I need to code an SPI. I've tried all the major OS, a few variants of Linux, numerous branches, but they all throw errors during compilation. [ERROR] Failed to execute goal on project keycloak-testsuite-tomcat8: Could not resolve dependencies for project org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project keycloak-testsuite-tomcat8: Could not resolve dependencies for project org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies(LifecycleDependencyResolver.java:221) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies(LifecycleDependencyResolver.java:127) at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved(MojoExecutor.java:246) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:200) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345) at org.apache.maven.cli.MavenCli.main(MavenCli.java:191) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) Caused by: org.apache.maven.project.DependencyResolutionException: Could not resolve dependencies for project org.keycloak:keycloak-testsuite-tomcat8:jar:3.2.0.CR1-SNAPSHOT: Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve(DefaultProjectDependenciesResolver.java:208) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies(LifecycleDependencyResolver.java:195) ... 23 more Caused by: org.eclipse.aether.resolution.DependencyResolutionException: Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:393) at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve(DefaultProjectDependenciesResolver.java:202) ... 24 more Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:453) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:255) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:376) ... 25 more Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.keycloak:keycloak-testsuite-integration:jar:tests:3.2.0.CR1-SNAPSHOT at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:443) ... 27 more [ERROR] [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionExce... [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn <goals> -rf :keycloak-testsuite-tomcat8

8 years, 10 months

2
1
0 / 0

Different URLs for front-end redirect and back-channel

by Manfred Duchrow

Hi, we're having a scenario with a Keycloak (OIDC) protected classic web application (no SPA) which has the restriction that it is not allowed to do any internet requests from its server within the DMZ it is located. Due to this restriction it cannot execute any back-channel requests (e.g. /token, /userinfo) to Keycloak because the configured "auth-server-url" is the front-end URL which is only visible through internet and actually points to Firewall/Loadbalancer component. Now the question: What do you think about an enhancement request for Keycloak (server and OIDC adapter) to allow different URLs for front-end (browser redirect) and back-channel URLs? That would imply several changes: 1. The server side endpoint implementations (UserInfoEndpoint, TokenIntrospectionEndpoint) are using TokenVerifier which by default checks the token issuer. This check will fail because the realmUrl of the back-channel request will be unequal to the token's issuer URL, which comes from the session created at login with the front-end URL. There are several variants to handle this: a) There is already a boolean varibale "checkRealmUrl" in TokenVerifier to disable this check, but no way to set it to false. It might be an option to support a switch per client to disable/enable this check. b) Instead of deriving the issuer name from the current request URL it might be possible to (optionally) provide an explicit issuer name field per realm. That would allow setting issuer names that are completely independent of any network infrastructure. c) When issuing a token through TokenEndpoint, set the issuer to the current /token request URI rather than using the one from the associated session. see TokenManager.initToken(): token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER)); 2. The OIDC adapters must support a new (optional) configuration parameter (e.g. "auth-server-redirect-url") to allow setting a separate front-end URL. Do you see any security issue with such an enhancement? Cheers, Manfred

8 years, 10 months

1
0
0 / 0

User Group Admins

by Shanon Levenherz

Hi all, I’ve come across this post [1] which describes user group admins. I followed the thread to here [2] but don’t think it went further? I’m curious if this feature is in the roadmap or JIRA as I couldn’t find it. Implementing user group admins would be a huge step to supporting my requirements/desired architecture (some of which were summarized in my previous mail [3]). Thanks! Best, Shanon [1] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005792.html <http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005792.html> [2] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005794.html <http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005794.html> [3] http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html <http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html>

8 years, 10 months

2
1
0 / 0

running multiple instances without clustering

by Sam Davis

Hi, I understand that Keycloak supports clustering, but I am wondering if it is possible to run multiple instances of Keycloak using the same configuration database *without* using clustering, i.e. using the standalone <https://keycloak.gitbooks.io/documentation/server_installation/topics/ope...> operating mode. It looks like the only difference between this and using the standalone clustered mode is that the caches will not be synchronized between the instances. I understand that it could cause some weird behaviour with user sessions (e.g. a user logs out on one instance but is still logged in on another, or vice versa). Would it cause any more serious problems (e.g. corrupt configuration database) or create security vulnerabilities? The use case is that my application bundles Keycloak and the application and Keycloak run on the same server. If the server goes down, another instance of the application on another server will take over, and that instance will redirect users to another keycloak instance running on that server. So I don't really need clustering, since normally only a single Keycloak instance will actually be used at a time and will only be used by a single application. Thanks, Sam

8 years, 10 months

2
3
0 / 0

Email template used by Admin API's "send-verify-email" endpoint

by Alex Berg

Looks like the "PUT /admin/realms/{realm}/users/{id}/send-verify-email" Admin REST API endpoint doesn't use the "email-verification.ftl" template. Rather, it uses the "executeActions.ftl" template. Is this intended?

8 years, 10 months

1
0
0 / 0

E-mail as username with LDAP federation

by Plank Martin

Hello, I have a realm with this configuration: - User registration allowed, E-mail as username enabled - LDAP user federation with Kerberos enabled, sAMAccountName attribute mapped to username, mail attribute mapped to user's e-mail The problem is that when user updates his profile through account form, username is rewritten and the value of e-mail address is set to the username attribute. User is then invalidated and deleted, because the usernames in Keycloak and LDAP do not match. Is my realm configuration supposed to work correctly? Or I must have mail attribute from LDAP mapped to both username and e-mail in Keycloak to keep it consistent? Thanks Martin

8 years, 10 months

2
1
0 / 0

Allowing multiple JWT issuers in a devel environment

by Jonathan Little

I'm trying to set up a devel environment with Keycloak in a Docker container, a back-end service in a separate linked Docker container, and a front end web app that authenticates against Keycloak and then uses a bearer token with the back end service. Bearer token validation is failing in this case due to the JWT's iss field not matching the realm URL: the realm URL is based on a hostname in the Docker network but the login occurred against localhost from the browser running outside Docker via a host port mapping. This is obviously a devel specific scenario and I'd like to be able to opt in to multiple allowed issuers, an issuer regex, skipping issuer verification, or some other workaround. AFAIKT there is no mechanism for this and the options are: 1) Add an entry to the devel machine's hosts file so that the browser can use the same hostname as the Keycloak container has in the Docker network. This is simple but undesirable because I'd rather not have to globally modify the devel machine configuration for this. 2) Run the devel Keycloak server outside of Docker at a known externally accessible hostname. This is potentially the cleanest solution (although it may have redirect issues with locally hosted devel websites -- I haven't tried yet) but I'd really like to be able to run Keycloak locally. 3) Somehow hack or customize the token validation code. The issuer check is fairly deep and I don't see any convenient or palatable hacks though. This seems to me like it'd be a common situation but is it legitimate or am I thinking about this wrong? Does anyone else have any ideas or think this would be a worthwhile addition to the library? Seems to me that multiple issuers or an issuer regex would be clean solutions. If this makes sense I will file a feature request (not sure if PRs are accepted on this project), but it seems like such an ordinary situation that I feel like I must be missing something!

8 years, 10 months

2
2
0 / 0

How to store "UserPassword" in LDAP through Keycloak Admin Client?

by Celso Agra

Hi all, Please, need some help! I'm trying to create an user through Keycloak Admin Client. So, When I add an user from Keycloak register page my LDAP stores a tag called "userPassword" with the password stored. But When I add an user from Keycloak Admin Client, all informations are stored in LDAP, except "userPassword". Am I doing something wrong? Here is my code below: public Response createUserKeycloak(UserKeycloak userKeycloak) { > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(userKeycloak.getPassword()); > credential.setTemporary(false); > UserRepresentation user = new UserRepresentation(); > user.setUsername(userKeycloak.getUsername()); > user.setFirstName(userKeycloak.getFirstName()); > user.setLastName(userKeycloak.getLastName()); > user.setEnabled(true); > if (userKeycloak.getEmail() != null) > user.setEmail(userKeycloak.getEmail()); > user.setCredentials(Arrays.asList(credential)); > > RealmResource realmResource = keycloak.realm(realmProperties.getRealm()); > UsersResource userRessource = realmResource.users(); > return userRessource.create(user); > } Best Regards, -- --- *Celso Agra*

8 years, 10 months

2
2
0 / 0

User sessions not ending upon automatic logout

by Kyle Swensson

Hello, I am having an issue with refresh tokens while using keycloak with the Tomcat adapter. I'm using Keycloak 2.3.0 and Tomcat 7 The issue arises when I authenticate with keycloak as a basic user using tomcat. When this happens a session is started for my basic user, which I believe means that I am given a refresh token. Then, I navigate to the Keycloak Admin Console page on a different window. Since I am authenticated as a basic user, since Keycloak uses SSO it will try to automatically log my current user into the Admin Console, but it will fail since my basic user is not configured to be able to use the admin console. After it fails, Keycloak "logs out" my current user because I don't have permissions to access the admin console. The problem is that this "logout" that Keycloak just did doesn't end the basic user's session for some reason, and thus it doesn't invalidate their refresh token. This is a problem because it means that if I go back to my basic user's application, even though keycloak supposedly logged me out, I can still use the refresh token to get more access tokens for the application, and thus continue using the application as normal even though I'm not technically logged in. Worse still, the logout functionality ceases to work because since Keycloak thinks my user isn't logged in, telling Keycloak to log my user out doesn't work. This makes it so that the only way to actually invalidate my current refresh token is by going to "My Account" as the basic user, and ending all current sessions for them. It's worth noting that this *only *happens when the basic user is automatically logged out when Keycloak tries to sign it in to the admin console automatically. For example, if I have the admin console window open before I log my basic user in, and then while I am logged in with my basic user I log in normally to the admin console with a different user, Keycloak will successfully log out my basic user and end their session, invalidating their refresh token, like it should. I'm wondering if this is an actual bug with Keycloak, or if this is just being caused by some user error on my side, because I can't really figure out a workaround for this issue. One potential workaround that I have found is enabling "Revoke Refresh Token" in the "Tokens" tab of the "Realm Settings" section of the Keycloak admin console, however this is making my application run quite strangely, and I'm not certain why. If upgrading to Keycloak 3.0 would fix the problem I can do that, however it will likely be a fair bit of work so I don't really want to upgrade unless I'm certain it will fix the problem.

8 years, 10 months

2
1
0 / 0

Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services

by Nirmal Kumar

Hello Keycloak, I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end. I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great. FLOW: ------- Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app. GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential); // Create GSSContext to call other kerberos-secured services GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME); As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS. Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS? Many Thanks, -Nirmal ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

8 years, 10 months

2
2
0 / 0

Understanding Offline Tokens

by Mike Hills

Hi All, I need to implement offline tokens ( https://keycloak.gitbooks.io/documentation/content/server_admin/topics/se...) for a number of our REST services. I followed the instructions provided and it seems to work well. I do have a couple of questions to confirm my approach please. 1. The generated offline refresh token is used to return a valid token using the grant_type of refresh_token. Does this mean that the refresh_token call must be made each time (assuming previous token has timed out)? 2. Is it best practice to hand out the same token for each client that needs to authenticate against the service or create a new client for each client service? Any help is appreciated, Regards, mike -- Michael J. Hills Sr. CRM Architect Mobile: 603.475.5093 Email : mike.hills(a)sematree.com Skype : mhills_sematree

8 years, 10 months

2
1
0 / 0

backchannel logout, Logout-all-sessions as user

by Jan Bartosz

Hi, My concern is about logging 'logout-all-sessions' action as a user. I see AdminEvent is raised in case admin invokes it. I assume it was done by purpose - is there some rule/specification behind, like "backchannel logouts shouldn't be exposed to the outside world"? Is there a way I can create some provider/broker/... maybe aspect, or extend some behaviour to catch this backchannel-logout? Many Thanks in advance!

8 years, 10 months

3
3
0 / 0

Multiple tenants in a single realm

by Shanon Levenherz

Hi there, I’m looking to leverage Keycloak as the primary IdP for our SaaS platform. We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc). Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms. My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant. Something like this: REALM | |- User 1 (user-admin role) | |- Tenant 1 Group | | | |- User 1.1 (user-admin role) | |- User 1.2 | |- … | |- User 1.n | |- Tenant 2 Group | | | |- User 2.1 (user-admin role) | |- User 2.1 | |- … | |- User 2.n | | | |- Tenant 3 Group | | | |- User 3.1 (user-admin role) | |- User 3.2 | |- … | |- User 3.n From the above we’re looking for: * User 1 is the realm/platform administrator and has full control over all groups/users * User 1.1 is the administrator for Tenant 1 * User 2.1 is the administrator for Tenants 2 and 3 * User 3.1 is the administrator for Tenant 3 I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke: >I like that idea. A better alternative might be that each group has an >"user-admin" role. If a user has the "user-admin" role of the group, it >can administer users in that group and assign roles defined in that >group. One thing to really think about is, what about sub-groups. Can >an admin of the parent group administer sub groups? This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all? I can’t find anything about it in the docs. I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing. Disclaimer: I’m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly… please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help. Thank you! Best, Shanon

8 years, 10 months

1
0
0 / 0

Password policy for the last used passwords

by Sarp Kaya

Hello, My keycloak configuration has password policy enabled for all users and it also has the Not Recently Used part specified to some number. I have a simple use case: 1. I create user 2. I set a password for this user 3. I delete this user I repeat this step again, with the same username and password and I get an error on 2nd step which is "Invalid password: must not be equal to any of last x passwords.” The problem is, I can only have this error on admin API, if I do it on the admin UI then I don’t get it. Now obviously if it was the same “user” it would make sense, but since I delete this username and create a new user, which has different user ID; then I would expect it to behave differently. I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The below are the code 1. Creating user: keycloak.realm(usersRealm).users().create(someUserRepresentation); 2. Resetting password of the user: CredentialRepresentation passwordCredRepresentation = new CredentialRepresentation(); representation.setTemporary(false); representation.setType(PASSWORD); representation.setValue(password); UserResource userResource = keycloak.realm(usersRealm).users().get(keycloakId); userResource.resetPassword(passwordCredRepresentation); 3. Deleting the user: keycloak.realm(usersRealm).users().delete(keycloakId)) I definitely know that delete user works because once I run this, I don’t see any user and when I run create user code, I can see a user account with different ID. My question is, is this intentional or a bug? If it is intentional, then how can I clear user’s password history? I tried looking that up in admin api but could not find any call. Thanks, Sarp

8 years, 10 months

2
1
0 / 0

Implementing Keycloak on Android

by Raquel Júdez Bello

Hi everyone, I am having trouble finding libraries to implement a Keycloak client for Android. So far, I have found AppAuth and Androgear in keycloak.org, but I am not convinced about their simplicity. Has anyone implemented a simple client for Android? Thank you very much. -- Raquel Júdez.

8 years, 10 months

6
6
0 / 0

Same user with multiple sessions/tokens?

by rafterjiang

Hello, I am using Keycloak openID endpoint to retrieve access token from keycloak server using Direct Access Grant mode. I found each time a NEW request is made using SAME user account/credential, Keycloak returns a *NEW *access token. (So I can see the same user with multiple sessions) In this way, I am not sure if a refresh token is still needed, because we can basically get a new token for each request and NOT care about the expiration? Is this expected? Is same user supposed to have many access tokens? Is there any potential issues to work in this way? thanks, R -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Same-user-with-multiple-sessions... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 10 months

2
1
0 / 0

Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services

by Nirmal Kumar

Hello Keycloak, I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end. I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great. FLOW: ------- Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app. GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential); // Create GSSContext to call other kerberos-secured services GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME); As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS. Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS? Many Thanks, -Nirmal ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

8 years, 10 months

1
0
0 / 0

Key Rotation for SAML client

by Muein Muzamil

Hi all, We have a business use case, where we'll have a realm with 50+ SAML clients configured and we want to update the SAML key for the realm (either for security reason or the certificate got expired), I was reading following section but it seems mostly focused on OIDC.Can someone please share how does KeyCloak handle this for SAML? Important thing to realize is, we cannot imagine our customer to update realm certificate in all 50+ service providers at the same time. https://keycloak.gitbooks.io/documentation/server_admin/topics/realms/key... Regards, Muein

8 years, 10 months

3
3
0 / 0

Re: [keycloak-user] Questions about OpenID Connect Identity Provider

by Christie, Marcus Aaron

Hi Sebastian, Thanks, this looks perfect for my use case. Thanks again, Marcus On Jun 1, 2017 2:25 AM, "Schuster Sebastian (INST/ESY1)" <Sebastian.Schuster(a)bosch-si.com> wrote: Hi Marcus, Both should be possible. For 1) have a look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id... and for 2) look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id... Best regards, Sebastian Mit freundlichen Grüßen / Best regards Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn > -----Original Message----- > From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user- > bounces(a)lists.jboss.org] On Behalf Of Christie, Marcus Aaron > Sent: Mittwoch, 31. Mai 2017 21:19 > To: keycloak-user(a)lists.jboss.org > Subject: [keycloak-user] Questions about OpenID Connect Identity Provider > > Hello, > > I have two questions about Identity Provider configuration in Keycloak. > > 1) I would like to add an Identity Provider and then have this be the only option > available to the user for authentication. Is there a way to disable the > username/password authentication and not show it on the login screen? > > 2) Is there a way to redirect to Keycloak and have it immediately redirect to an > Identity Provider? As an example, let’s say I have two Identity Providers, Google > and Facebook. In my web application I know that the user wants to log in via > Google so I want to redirect to Keycloak and tell Keycloak to select the Google > Identity Provider and redirect to it immediately. Maybe something like my web > application redirects to keycloak like so: > > https://mykeycloak.org/auth/realms/myrealm/protocol/openid- > connect/auth?response_type=code&client_id=...&redirect_uri=...&scope=openid&s > elected_identity_provider=google > > and then mykeycloak.org<http://mykeycloak.org> immediately redirects to > Google. For the user they don’t see the Keycloak page. > > Is there any functionality like the in Keycloak? > > > Thanks, > > Marcus > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 10 months

1
0
0 / 0

How to assign a role at registration?

by mark

I have a number of client roles - how can I programmatically set/assign a particular role when a user registers with Keycloak?

8 years, 10 months

2
1
0 / 0

Questions about OpenID Connect Identity Provider

by Christie, Marcus Aaron

Hello, I have two questions about Identity Provider configuration in Keycloak. 1) I would like to add an Identity Provider and then have this be the only option available to the user for authentication. Is there a way to disable the username/password authentication and not show it on the login screen? 2) Is there a way to redirect to Keycloak and have it immediately redirect to an Identity Provider? As an example, let’s say I have two Identity Providers, Google and Facebook. In my web application I know that the user wants to log in via Google so I want to redirect to Keycloak and tell Keycloak to select the Google Identity Provider and redirect to it immediately. Maybe something like my web application redirects to keycloak like so: https://mykeycloak.org/auth/realms/myrealm/protocol/openid-connect/auth?r... and then mykeycloak.org<http://mykeycloak.org> immediately redirects to Google. For the user they don’t see the Keycloak page. Is there any functionality like the in Keycloak? Thanks, Marcus

8 years, 10 months

3
3
0 / 0

How does a bearer only client validate

by Pulkit Gupta

Hi All, I have two keycloak client one is a public client using implicit flow and authenticating the user via a redirect and then once the user is authenticate the client receives a token. This token is then passed to a REST based backend service which validate it before providing access to the API data. I am looking for more information on how does a bearer only client validates the token which it receives from the JavaScript based public client. I will also be interested to understand more about the relationship of these two clients based on scope to make this setup work -- PULKIT

8 years, 10 months

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2017